1 define profile::postgresql_master (
2 $letsencrypt_host = undef,
5 $password_seed = lookup("base_installation::puppet_pass_seed")
7 ensure_resource("file", "/var/lib/postgres/data/certs", {
10 owner => $::profile::postgresql::pg_user,
11 group => $::profile::postgresql::pg_user,
12 require => File["/var/lib/postgres"],
15 ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
16 source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
19 owner => $::profile::postgresql::pg_user,
20 group => $::profile::postgresql::pg_user,
21 require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
24 ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
25 source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
28 owner => $::profile::postgresql::pg_user,
29 group => $::profile::postgresql::pg_user,
30 require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
33 ensure_resource("postgresql::server::config_entry", "wal_level", {
37 ensure_resource("postgresql::server::config_entry", "ssl", {
39 require => Letsencrypt::Certonly[$letsencrypt_host],
42 ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
43 value => "/var/lib/postgres/data/certs/cert.pem",
44 require => Letsencrypt::Certonly[$letsencrypt_host],
47 ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
48 value => "/var/lib/postgres/data/certs/privkey.pem",
49 require => Letsencrypt::Certonly[$letsencrypt_host],
52 $backup_hosts.each |$backup_host| {
53 ensure_packages(["pam_ldap"])
55 $host = find_host($facts["ldapvar"]["other"], $backup_host)
57 $host["ipHostNumber"].each |$ip| {
58 $infos = split($ip, "/")
59 $ipaddress = $infos[0]
60 if (length($infos) == 1 and $ipaddress =~ /:/) {
62 } elsif (length($infos) == 1) {
68 postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
70 database => 'replication',
72 address => "$ipaddress/$mask",
78 postgresql::server::role { $backup_host:
82 postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
88 $ldap_server = lookup("base_installation::ldap_server")
89 $ldap_base = lookup("base_installation::ldap_base")
90 $ldap_dn = lookup("base_installation::ldap_dn")
91 $ldap_cn = lookup("base_installation::ldap_cn")
92 $ldap_password = generate_password(24, $password_seed, "ldap")
93 $ldap_attribute = "cn"
95 # This is to be replicated to the backup
96 postgresql::server::role { $ldap_cn:
100 file { "/etc/pam_ldap.d":
106 file { "/etc/pam_ldap.d/postgresql.conf":
109 owner => $::profile::postgresql::pg_user,
111 content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
113 file { "/etc/pam.d/postgresql":
118 source => "puppet:///modules/profile/postgresql_master/pam_postgresql"